Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP - Get trust from caPubs in IP #66

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

WIP - Get trust from caPubs in IP #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5202b71
get trust from caPubs in IP
RufusJWB Oct 15, 2024
bddbe3b
fixup! get trust from caPubs in IP
DDvO Oct 15, 2024
f99e382
genericCMPClient.c: for validating the newly enrolled cert, trust caP…
DDvO Oct 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Makefile_v1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -390,6 +390,7 @@ else ifeq ($(CA_SECTION),CloudCA)
PROFILE_PATH="/p/$(CMP_PROFILE)"
endif
override EXTRA_OPTS += -path "/.well-known/cmp$(PROFILE_PATH)" -reqexts empty
EXTRA_OPTS_IMPRINT = -trusted "" -out_trusted "" -cacertsout creds/trusted/caPubs.pem
else
CA_SECTION=EJBCA
EXTRA_OPTS_IMPRINT= -path "$(ENV::EJBCA_PATH_IMPRINT)" -subject "$(EJBCA_CMP_SUBJECT_IMPRINT)"
Expand Down
3 changes: 2 additions & 1 deletion config/demo.cnf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,8 @@ tls_trusted = creds/trusted/DigicertGlobalRootG2.crt
# Tenant on server
recipient = /CN=CloudPKI-Integration-Test
cacert = creds/trusted/CloudCA_Root_v2.crt
trusted = $cacert
caPubs = creds/trusted/caPubs.pem
trusted = $cacert,$caPubs
out_trusted = $cacert
own_trusted = $cacert

Expand Down
Empty file added creds/trusted/caPubs.pem
View file
Open in desktop
Empty file.
28 changes: 27 additions & 1 deletion src/genericCMPClient.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,32 @@ static X509_NAME *parse_DN(const char *str, const char *desc)
return name;
}

static int certConf_caPubs_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, const char **text)
{
X509_STORE *new_ts = NULL, *new_cert_truststore = OSSL_CMP_CTX_get_certConf_cb_arg(ctx);
STACK_OF(X509) *caPubs = NULL;
int i, ret = 0;

if (OSSL_CMP_CTX_get0_trustedStore(ctx) == NULL) { /* with MAC-based response protection only */
caPubs = OSSL_CMP_CTX_get1_caPubs(ctx);
if (new_cert_truststore == NULL) {
if ((new_ts = X509_STORE_new()) == NULL)
goto err;
new_cert_truststore = new_ts;
if (!OSSL_CMP_CTX_set_certConf_cb_arg(ctx, new_ts))
goto err;
}
for (i = 0; i < sk_X509_num(caPubs); i++)
if (!X509_STORE_add_cert(new_cert_truststore, sk_X509_value(caPubs, i)))
goto err;
}
ret = OSSL_CMP_certConf_cb(ctx, cert, fail_info, text);
err:
X509_STORE_free(new_ts);
CERTS_free(caPubs);
return ret;
}

CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx,
OSSL_LIB_CTX *libctx, const char *propq,
OPTIONAL LOG_cb_t log_fn,
Expand Down Expand Up @@ -247,7 +273,7 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx,

X509_VERIFY_PARAM_clear_flags(out_vpm, X509_V_FLAG_USE_CHECK_TIME);

if (!OSSL_CMP_CTX_set_certConf_cb(ctx, OSSL_CMP_certConf_cb) ||
if (!OSSL_CMP_CTX_set_certConf_cb(ctx, certConf_caPubs_cb) ||
!OSSL_CMP_CTX_set_certConf_cb_arg(ctx, new_cert_truststore) ||
!X509_STORE_up_ref(new_cert_truststore))
goto err;
Expand Down
Loading